CVE-2022-23515 – loofah

Package

Manager: gem
Name: loofah
Vulnerable Version: >=2.1.0 <2.19.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00236 pctl0.46432

Details

Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266) - https://hackerone.com/reports/1694173 - https://github.com/flavorjones/loofah/issues/101 ## Credit This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

Metadata

Created: 2022-12-13T17:39:36Z
Modified: 2023-09-14T16:20:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-228g-948r-83gx/GHSA-228g-948r-83gx.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-228g-948r-83gx
Finding: F008
Auto approve: 1